Contact us
833-292-7732
BACK TO BLOGS Back to Press Releases
March 14, 2026

How to restrict Google Cloud Enterprise Access to a Specific IP Address

Written by:

Google Cloud Enterprise is widely used to host applications, store data, and support collaboration across organizations. These environments often contain sensitive business data, user accounts, and critical infrastructure, making them a key target for cyberattacks.

One of the most common ways attackers get unauthorized access to Google Cloud Enterprise is through compromised credentials.  

Preventing this hinges on restricting access to your Google Cloud Enterprise account to specific IP addresses.  

Doing so adds an important layer of security by controlling where access can originate and limiting exposure to external threats.

Why you should restrict Google Cloud Enterprise access by IP address

Restricting access to Google Cloud based on IP address prevents unauthorized access from unknown locations, so even if credentials are compromised, attackers cannot gain access from outside the approved addresses.

Doing so protects your sensitive data and cloud resources, reduces risk of account takeover, and supports compliance and regulatory requirements.

Step-by-step: Restricting Google Cloud Enterprise access to specific IP addresses using Conditional Access

When Entra ID is configured as the identity provider for GCP via SAML SSO, Conditional Access policies are evaluated at sign-in time, allowing access to be blocked from any IP not on your approved list before a SAML assertion is issued to Google.

The approach uses two components working together:

  • Named Locations: a saved list of trusted IP addresses or CIDR ranges defined in Entra ID.
  • Conditional Access policy: a policy that blocks GCP sign-ins originating from any IP not on the trusted list.

NOTE: In Entra ID, GCP access is managed through the Google Cloud / G Suite Connector by Microsoft enterprise application. This same app also covers Google Workspace services. If your organization uses both GCP and Google Workspace under the same Google Cloud Identity or Workspace account, this policy will apply to both. Scope your user assignments accordingly if you need different policies for each service.

IMPORTANT: Google Workspace super admins are exempt from third-party SSO by design. They can always sign in directly with their Google credentials regardless of SSO settings. This means the Conditional Access policy will not apply to super admin accounts. Ensure super admin accounts are secured separately and their use is monitored.

Prerequisites

Before proceeding, confirm the following are in place:

  • Microsoft Entra ID P1 or P2 license — required for Conditional Access.
  • Conditional Access Administrator role or higher in Microsoft Entra ID.
  • Google Cloud / G Suite Connector by Microsoft enterprise app registered in your Entra ID tenant with SAML SSO configured and a SAML SSO profile assigned to your users in the Google Admin Console.
  • Security Defaults disabled — Security Defaults and Conditional Access cannot run simultaneously.
  • Known static IP address — the public IP address or CIDR range of each approved location.
  • Break-glass admin account — must be excluded from this policy to prevent administrative lockout.

IMPORTANT: If your approved IP address is dynamic, this approach will not work reliably. You must use a static IP before implementing IP-based Conditional Access.

Step 1: Create a Named Location for your trusted IP(s)

A Named Location defines the trusted IP addresses that Entra ID will reference as a condition in the policy.

  1. Sign in to the Microsoft Entra admin center at entra.microsoft.com.
  2. Navigate to Protection > Conditional Access > Named locations.
  3. Select + IP ranges location.
  4. Name the location — for example: Trusted - Corporate Office
  5. Check the Mark as trusted location checkbox.
  6. Click + and enter your approved IP address or CIDR range. Examples:
    • Single IP address: 203.0.113.10/32
    • IP range (CIDR): 203.0.113.0/24
    • Multiple sites: Create a separate Named Location for each site, then reference all of them in the policy.
  7. Click Create.

Step 2: Create the Conditional Access policy

Create a policy that blocks Google Cloud Platform access from any location not on your trusted list.

  1. In the Entra admin center, navigate to Protection > Conditional Access > Policies.
  2. Select + New policy.
  3. Name the policy — for example: Block Google Cloud Platform - Outside Trusted IPs

Assignments: Users

  1. Under Assignments > Users, select All users.
  2. Under Exclude, add your break-glass admin account and any service accounts or automation identities that authenticate from dynamic IPs.

NOTE: GCP automation workloads that use service account keys or Workload Identity Federation authenticate directly with Google APIs and do not go through Entra ID SAML SSO. Those workloads are not affected by this policy. Only human user sign-ins routed through the SAML SSO flow are subject to this Conditional Access policy.

Assignments: Target resources

  1. Under Target Resources, select Cloud apps > Select apps.
  2. Search for and select Google Cloud / G Suite Connector by Microsoft.

Conditions: Locations

  1. Under Conditions > Locations, set Configure to Yes.
  2. Under Include, select Any location.
  3. Under Exclude, select Selected locations, then choose your Named Location from Step 1.

TIP: This configuration reads: apply this policy to sign-ins from any location, except the trusted named location. Any GCP sign-in originating outside the trusted IP will be blocked before Entra ID issues a SAML assertion to Google.

Access controls: Grant

  1. Under Access Controls > Grant, select Block access.
  2. Click Select to confirm.

Enable Policy

  1. Set Enable policy to Report-only.
  2. Click Create.

IMPORTANT: Do not set this policy to On immediately. A block policy applied to All users that is misconfigured will prevent all users from authenticating to GCP. Always validate in Report-only mode first.

Step 3: Validate the policy

Before enabling enforcement, confirm the policy is evaluating sign-ins correctly.

  1. In the Entra admin center, navigate to Identity > Monitoring & health > Sign-in logs.
  2. Filter by the Google Cloud / G Suite Connector by Microsoft application.
  3. Open a sign-in from a user on your trusted IP and confirm the Conditional Access tab shows Would succeed.
  4. If available, review a sign-in from an untrusted IP and confirm it shows Would fail with the location condition listed as the reason.
  5. Investigate any unexpected Would fail entries. This typically indicates the network is presenting a different egress IP than what is entered in the Named Location.

TIP: Use the What If tool under Protection > Conditional Access to simulate how a specific user signing in from a specific IP would be evaluated without waiting for a real sign-in event.

Step 4: Enable the policy

  1. In the Entra admin center, navigate to Protection > Conditional Access > Policies.
  2. Select the policy created in Step 2.
  3. Change Enable policy from Report-only to On.
  4. Click Save.

From this point forward, any GCP sign-in attempt from an IP address not included in your Named Location will be blocked. Entra ID will not issue a SAML assertion to Google, and the user will be denied access to the Google Cloud Console and associated services.

NOTE: Users who are already signed in to GCP when the policy is enabled will not be immediately signed out. The block takes effect on the next sign-in or token refresh, typically within one hour. Super admin accounts are exempt from third-party SSO by Google's design and will not be affected by this policy regardless of IP address.

Summary

The following summarizes the full configuration process:

Prerequisites

Confirm license, Google Cloud / G Suite Connector SAML SSO configured, SAML profile assigned in Google Admin Console, Security Defaults disabled, static IP(s) identified

Step 1

Create a Named Location with your trusted IP address(es) in Entra ID Named Location, with Block access

Step 2

Create a CA policy targeting Google Cloud / G Suite Connector by Microsoft, excluding the

Step 3

Validate in Report-only mode using sign-in logs and the What If tool

Step 4

Switch Enable policy to On

FAQs

Can Google Cloud restrict access by IP address natively?

Yes, Google Cloud supports IP-based access restrictions through context-aware access and organization policies. Using identity providers with Conditional Access offers centralized enforcement.

How do you secure Google Cloud for remote or hybrid teams?

Organizations typically combine:

  • VPN or secure network access with trusted IP ranges
  • Multi-factor authentication (MFA)
  • Identity and access management (IAM) policies
  • Conditional Access or context-aware access controls
  • Endpoint and application control

Can attackers bypass IP-based restrictions?

Attackers may attempt to use compromised VPNs or proxy services, which is why IP restrictions should be layered with additional Zero Trust controls.  

No items found.

Start your path to stronger defenses

Start your trial

Try ThreatLocker free for 30 days and experience full Zero Trust protection in your own environment.

Start free trial

Book a demo

Schedule a customized demo and explore how ThreatLocker aligns with your security goals.

Book a demo

Ask an expert

Just starting to explore our platform? Find out what ThreatLocker is, how it works, and how it’s different.

Request information